I’ve always said, if I ever win the lottery, the first thing I’m outsourcing is a chauffeur. I hate to drive. It’s part of the reason I moved to a major city; I wanted to take public transit. Now, with the rise of autonomous vehicles, maybe I won’t have to. Autonomous, or driverless cars, are quite the rage these days (if you haven’t already, listen to the Michael Echols Reimagining Cyber episode, Smart Cities, Hair Dryers, Cyber Intel Sharing… Oh My! The Intricacies of Cybersecurity, where he talks about his autonomous vehicle project, U2C in Jacksonville, FL). While having a driverless car sounds cool, what’s not cool is the idea of said vehicle being hacked and having a mind of its own.
In 2015, a Jeep was hacked on the highway by two white hat hackers, shutting down the engine, blaring the radio, and turning on the windshield wipers. While this was intentional, Charlie Miller and Chris Valasek, the two hackers that brought the Jeep to a halt, were trying to poke holes in the SUV’s security infrastructure, the idea that that could happen on a random Tuesday while driving my nieces to T-ball is terrifying.
Ikjot Saini, Assistant Professor at the University of Windsor in Windsor, Ontario is an expert in connected and autonomous vehicles and vehicle security. In this week’s Reimagining Cyber episode, “Connected Vehicles and the Cyber Equivalent of Seatbelts and Airbags” she does a deep dive in the cybersecurity intricacies of autonomous cars, the importance of standards and regulations, working as a team, and thinking outside the box when it comes to automotive security.
The automotive industry houses an intricate and delicate ecosystem with many industry-specific details and nuances, particularly regarding security, that needs to be considered. Security threats no longer only impact and involve IT; now it includes OT and auto security.
“Because all of these components or aspects are part of the big ecosystem, and then you would be able to see, okay, there are so many blind spots and if you are just working in silos,” she said. “You need to break them and then work them collectively.”
Everyone needs to take ownership. When there is a hack, the finger is always pointed at IT first, Saini says. In reality, everyone plays a part and needs to be on their A game, asking themselves key questions like:
- Are you paying enough attention?
- What threats are you seeing?
- Are their safeguards around all aspects?
In regards to electric and autonomous vehicles:
- Are you making decisions based on the data?
- Who is feeding the data?
- How are you creating these algorithms?
“If you think a little bit futuristic…you start seeing more problems. If they are not addressed today when we are not having that kind of autonomy, then I think it's a huge gap that we would have, and we would never be able to fill that up.”
One way to prevent things from happening is to implement standards and regulations regarding automotive security. Standards and regulations need to be granular, down to the specific electric components of the vehicles, though the industry is still figuring out what exactly that means.
“There is going to be a lot of compliance required,” Saini said. “But for that compliance, you now need more than ever more regulations…Is it going to be more self-regulated? …What kind of industry is it going to be like?”
The rise and popularity of autonomous vehicles have brought about a myriad of security challenges (as judged by the 2015 Jeep incident).
“In the embedded system, I see a complete…new realm of security threats,” she says. “You have never thought of testing a little piece of code when you're like writing it. Now you need it [to].”
Now, each little component can turn on multiple security threats. It’s better to fix it in the testing and development stage, otherwise, it could have a major impact.
While I think having a driverless car is cool, I think I’ll wait a bit until a few of the kinks have been working out before I jump into the driver’s seat.
What about you? Do you want a driverless car? Let me know in the comments below!
CyberRes is a Micro Focus line of business focused on helping companies protect, detect, and evolve their security framework and helping organizations become more cyber resilient. To learn more, visit CyberRes.com and CyberResilient.com.